Hi guys, I wanted to share a harrowing experience I have recently had. This is mainly aimed at developers/app creators just starting out. I posted a thread recently saying that I had 11,000 downloads on my chat application inside a month. At that point my app had done exceptionally well. However, a week ago, some hackers decided to make my life hell as a consequence of exposing some security flaws in it. I can only say that what happened next has been a quite stomach churning experience. My app and my name have become infamous rather than famous, its been all over the net. Some examples are here: http://aol.it/PnB8S6 http://bit.ly/1qsdx0n http://zd.net/1cMt5sq Plus my app went viral over twitter and I received messages of hate and resentment, even people wishing me death. My twitter and godaddy accounts were hacked and I only resumed control of the latter yesterday after 3 days of being locked out. Twitter have not even bothered to do anything about my account. So I have learnt a very valuable lesson, keep security of user information at the very top of your agenda or face a very harsh lesson. Suppoman
I think your biggest mistake was to threaten the person who contacted you. You could just have assured him that you will fix it as a first priority and this would never have blown up. Then you should have tried to fix the bug immediately. Whenever an irate customer contacts, always be nice.
He wasn't an irate customer. He wanted to make a name for himself. He published his full disclosure on the internet without getting in contact with me via the support email address which is on the app or my app email address which is on my website. Furthermore he went on to instigate the hacking events that took place. If he had contacted me first it would have been a different story.
"How Snapchat imitator Puffchat managed to do everything wrong Summary: Early this week Snapchat imitator Puffchat threatened a hacker for disclosing serious security holes and fallacies in the app's privacy claims. As expected, things aren't going well for Puffchat's arrogant founder." 1) I don't think you (or anyone) deserves getting hate mails and threats. 2) I do sympathise with the grief you must have when you read stuff like that about yourself. Probably not what you hoped for when releasing the app. 3) Security issues should always be adressed without getting defensive. My suggestion is just lay down flat and take responsibilities, it works for politicans all over the world for a reason. Those who get too stubborn, in denial or refuses to accept the reponsibilities, often find themselves in a worse and worse situation. admit it (whatever 'it' is), say you are sorry for compromising users trust, and that you are working day and night for a solution.
Forgive me if I'm wrong, but were you passing the link to the image stored on the server in plain text? Or were you at least using MD5 or a similar hashing algo (preferably then also using a private key/salt or what have you). The backlash doesn't seem to have much to do with the lack of security, more so with the fact that you claimed it was secure and then when a "hacker" (let's be honest, this wasn't some expert blackhat) exposed security flaws, you actually blamed them. Yes, the hacker should have brought the issues to your attention privately, but it still seems you handled the situation in just about the worst way imaginable. Nevertheless, thank you for sharing your valuable and hard-learned lesson with the community. Hopefully many will learn from this and avoid making similar mistakes with security of user data. Goodluck going forward, I hope you're able to bounce back from this hiccup!
You know the old saying, there is no such thing as bad publicity! This media frenzy has brought your app to a huge number of people who would never have otherwise heard of it. Now you need to turn the crisis into an opportunity...
Ok so you should never receive death threats or harassment for any app (well they should at least wait until you are earning 50k a day). Lets face it you made a shoddy messaging app with absolutely no thought to users data security. You will now find that trying to upgrade the security to even a reasonable standard will cost more than it did to make the app. And now your going to be on every hackers hit list so when that "New Update" is realised with improved security you better make sure its bullet proof as it would be a great story to run if your new update is hacked with 5 mins of it being uploaded. Not a good idea to threaten to sue somebody for no reason especially as you don't have the 100k needed to stage a defamation case that you would lose. I would be more worried about users suing you for breaches in the data protection act. Having said that Simpleinteractive is right, there is no such thing as bad publicity and for a short window whatever you say will get media traction. You could turn this into a positive!! A public apology to the hacker would be a start! I would also like to reiterate Broxxars comment and thank you for being honest here this is a great lesson that all developers should take note of. Hope you can find a silver lining!
Agree with the general sentiment here - you promised a secure app and it had almost no security. Don't shoot the messenger. Still, I find a poetic justice in that the "wronged" consist largely of vacuous kids looking for a way to secretly send pictures of their junk. In fact, that probably guarantees that you won't get sued by a customer.
First off, my heart goes out to you superman. You're in a tough spot, no question. I'd be curious to hear more of this community's opinion on this specifically: Any publicity is good? In some casual, hypothetical, conversational sense I agree. But in a humbling yet severe case like this, would fighting that battle even be worth the effort and anguish? I simply don't know if I would fight on, or start from scratch.
If you can turn it around into a positive any news is good news, but this dev shot himself in the foot by acting like a bully. Imagine if, upon the news being published, the dev shot the reporters a quick "we're working on it, it's our highest priority" line, fixed the issue(s) then sent out a press release stating, "Yes, there was a flaw in our security, but we've fixed it, now you're EVEN MORE secure than before!"
Apps are very cheap or even free so the user takes no risk in downloading an app which has become notorious because people have blogged about it. In a sense whether the bloggers loved or hated it is immaterial. People will download to see if was as good/bad as they say. Good publicity is better than bad publicity but both are *infinitely* better than no publicity. Personally I'd be delighted to see any type of publicity! There are many examples of a product becoming a monster hit on the back of bad publicity. Flappy bird has "bad publicity" it was too hard/frustrating, critics said. The Da Vinci Code became popular largely because the catholic church disliked it. Books and apps are discretionary purchases where there is no such thing as bad publicity. Bad publicity for major purchases like a car would be less helpful!
I agree with some of the others. It's a messaging app. Not secure. Some kid exposed it and you threatened to sue! Sounds very over the top and harsh Of course the name calling/threats are terrible (contact twitter if you get threats there) but sadly this is commonplace now on social media networks But as for the app and not being secure. Doesn't sound good at all. I wouldn't shoot the messenger. Actually be thankful they exposed some major flaws which you should fix (and found originally)
Reading the articles it's claimed that outsourcing was involved? If this is true, no doubt they told you it was really secure.This is one of the dangers if you don't have a competent developer at your end to check their work and understand what measures they're putting in place. As others have said, maybe just quietly get on with fixing it and 'relaunching' with a 'now even more secure' tagline. Good luck.
..oh I forgot to add, ignore any 'death threats', it now seems to be the norm on the internet to say these phrases. Trust me, they don't mean it and they will move onto the next thing when you go quiet. Take a break from the internet perhaps?